Talos Vulnerability Report

TALOS-2016-0051

OpenOffice Impress MetaActions Arbitrary Read Write Vulnerability

July 21, 2016

CVE Number

CVE-2016-1513

Description

An exploitable out-of-bounds vulnerability exists in OpenOffice when handling MetaActions. A specially crafted Open Office Impress file can cause an out-of-bounds read/write resulting in potential code execution. An attacker can provide the malicious file to trigger this vulnerability.

Tested Versions

Apache Open Office 4.1.1

Product URLs

http://openoffice.apache.org

Details

In the attached sample an out of bounds occurs when replacing a Polygon in the PolyPolygon object when performing a MetaPolyPolygonAction. In this case, the position in the array is 512, while the array containing Polygons (mpPolyAry) is only 2 in size. This will result in a delete of a pointer which is read out of bounds at line 228 of file main\tools\source\generic\poly2.cxx. This will be followed at line 229 with an out-of-bounds write, writing a new pointer which is gotten by creating a new Polygon at that location. This provides an attacker with multiple ways to exploit this vulnerability: through a free of an invalid pointer, but if that fails, the writing of a new pointer out of bounds could provide a second opportunity for exploitation.